Argo CD Configuration
What is Argo CD?
Argo CD is TDP's GitOps continuous delivery tool.
It monitors a Git repository and ensures that what is in the Kubernetes cluster is always in sync with what is in Git — if you change a configuration file in the repository, Argo CD detects the change and applies it to the cluster automatically.
In TDP Kubernetes, Argo CD is mainly used to manage the lifecycle of the TDP charts themselves in the App of Apps model: a root Application that manages other Applications, each responsible for a TDP component.
This is described in detail in the installation via Argo CD and update guides.
Argo CD uses Helm to render the charts and apply resources to the cluster. The difference is that you do not run helm upgrade manually — Argo CD does it automatically when it detects changes in Git. The configuration flow (values files, secrets) remains the same.
The tdp-argo chart wraps Argo CD 3.2.5 as a wrapper over the upstream argo-cd chart.
Overview
| Property | Value |
|---|---|
| Chart | tdp-argo |
| Argo CD version | 3.2.5 |
| Chart version | 3.0.1 |
| Upstream | argo-cd chart |
| Model | App of Apps (GitOps) |
| Supported features | LDAP, Ingress, and Gateway API |
Related pages
- Security — Argo CD — LDAP via Dex, RBAC, and NetworkPolicy
- External exposure: Ingress and Gateway API — HTTP/HTTPS exposure of the UI
- Installation via Argo CD — GitOps bootstrap and App of Apps
- Argo CD update — updating chart versions
Helm value structure
All values must be set under tdp-argo: (the dependency alias in Chart.yaml):
tdp-argo:
server:
resources:
requests:
cpu: "250m"
memory: "256Mi"
TDP-specific settings
The chart includes TDP-specific settings, outside the upstream scope:
skipCrdCheck— validates thattdp-crdsis installed before the deployment.TDP-Settings.gateway— exposure control via Ingress or Gateway API.gatewayApi— Gateway API configuration for the HTTPRoutes.
Prerequisites: CRDs (tdp-crds)
Installing the CRDs before the main chart is mandatory:
helm upgrade --install tdp-crds \
oci://registry.tecnisys.com.br/tdp/charts/tdp-crds \
-n <NAMESPACE> --create-namespace
The main chart keeps tdp-argo.crds.install=false to avoid CRD lifecycle conflicts in Helm. tdp-crds consolidates the CRDs of all platform components (Argo CD, Kafka, NiFiKop, ClickHouse, OpenMetadata, and cert-manager) in a single release.
- Installation
- Main parameters
- Configuration details
- Access & Security
- Uninstallation
Installation
Via the deploy.sh script (recommended)
The deploy.sh script automates the full Argo CD installation:
./deploy.sh --install -v variables.env.local
What is executed:
helm registry login→ authenticates to the OCI registryhelm upgrade --install tdp-crds→ installs the CRDshelm upgrade --install tdp-argo→ installs Argo CDkubectl rollout status→ waits for the pods to be ready- Renders the templates → populates
current/ - Applies the common resources (AppProject, Secrets, App of Apps)
The full GitOps flow (repository structure, variables.env.local, bootstrap, and synchronization) is documented in Installation via Argo CD.
Via direct Helm
For a manual installation via Helm:
helm upgrade --install tdp-argo \
oci://registry.tecnisys.com.br/tdp/charts/tdp-argo \
-n <NAMESPACE> --create-namespace \
--set skipCrdCheck=false
Verification
Installation ConfigMap
kubectl get configmap tdp-argo-argo-install-properties -n <NAMESPACE> \
-o jsonpath='{.data.install\.properties}' | tail -10
kubectl get configmap tdp-argo-argo-install-properties -n <NAMESPACE> -o jsonpath='{.data.argo-admin-install\.properties}' | tail -10
Pods
kubectl get pods -n <NAMESPACE>
All pods must be in Running status.
Main parameters
| Parameter | Description | Default |
|---|---|---|
skipCrdCheck | Skips CRD validation (use only for helm template) | false |
tdp-argo.crds.install | Installs CRDs via upstream (must be false) | false |
tdp-argo.dex.enabled | Enables Dex for LDAP | false |
tdp-argo.configs.cm.url | Argo CD public URL | https://argo.tdp.local |
tdp-argo.configs.secret.* | Secrets for credentials | — |
tdp-argo.rbacConfig | RBAC configuration | — |
tdp-argo.global.networkPolicy.* | NetworkPolicy settings | create: false |
TDP-Settings.gateway.ingress.enabled | Enables Ingress | false |
TDP-Settings.gateway.gatewayApi.enabled | Enables Gateway API | false |
tdp-argo.openshift.enabled | OpenShift compatibility | false |
Main settings
Public URL (configs.cm.url)
Align the URL with how users access Argo CD (relevant for Dex/LDAP):
tdp-argo:
configs:
cm:
url: https://<ARGOCD_HOSTNAME>
Application namespaces
By default, Argo CD manages Applications in all namespaces (application.namespaces: "*"):
tdp-argo:
configs:
params:
application.namespaces: "*"
To restrict it to a specific set (for example, only <NAMESPACE>):
tdp-argo:
configs:
params:
application.namespaces: "<NAMESPACE>"
HTTP vs HTTPS
By default, HTTP access is enabled (server.insecure: "true"), useful behind an Ingress, service mesh, or TLS-terminating proxy:
tdp-argo:
configs:
params:
server.insecure: "true"
To force HTTPS, set the value to "false".
OpenShift compatibility
For OpenShift deployments, enable compatibility:
tdp-argo:
openshift:
enabled: true
Alternatively, you can enable compatibility directly during installation:
helm upgrade --install tdp-argo \
oci://registry.tecnisys.com.br/tdp/charts/tdp-argo \
--namespace argocd --create-namespace \
--set tdp-argo.openshift.enabled=true \
--set tdp-argo.redis.securityContext.runAsUser=null \
--set tdp-argo.redis.securityContext.fsGroup=null
This creates the anyuid SCC RoleBinding for Redis and adjusts the security contexts as needed.
Resource sizing
Recommended resource settings per Argo CD component:
tdp-argo:
server:
resources:
requests:
cpu: "250m"
memory: "512Mi"
limits:
cpu: "1"
memory: "2Gi"
repoServer:
replicas: 2
resources:
requests:
cpu: "250m"
memory: "256Mi"
limits:
cpu: "1"
memory: "2Gi"
controller:
replicas: 2
resources:
requests:
cpu: "500m"
memory: "1Gi"
limits:
cpu: "2"
memory: "4Gi"
redis:
resources:
requests:
cpu: "50m"
memory: "64Mi"
limits:
cpu: "250m"
memory: "512Mi"
dex:
resources:
requests:
cpu: "50m"
memory: "64Mi"
limits:
cpu: "250m"
memory: "256Mi"
Available overlays
The chart includes overlays for specific scenarios:
values-ldap.yaml— Pre-filled LDAP configurationvalues-openshift.yaml— OpenShift SCC compatibilityvalues-tdp-gateway.yaml— Gateway API configurationvalues-tdp-ingress.yaml— Ingress configurationvalues-tdp-ingress-openshift.yaml— Ingress + OpenShift
Usage:
helm upgrade --install tdp-argo \
oci://registry.tecnisys.com.br/tdp/charts/tdp-argo \
-n <NAMESPACE> \
-f values-ldap.yaml \
-f values-tdp-gateway.yaml
Access and credentials
- User:
admin - Initial password: stored in the
argocd-initial-admin-secretSecret:
kubectl -n <NAMESPACE> get secret argocd-initial-admin-secret \
-o jsonpath="{.data.password}" | base64 -d
Change the password after the first login in the Argo CD interface (Settings → Account → Update Password).
Security
Argo CD supports LDAP authentication via Dex (tdp-argo.dex.enabled), mapping LDAP groups to roles in tdp-argo.rbacConfig. For the full configuration — bind Secret creation, dex.config, RBAC policy, and troubleshooting — see Security — Argo CD.
External exposure
The Argo CD UI/API can be exposed via Ingress or Gateway API (mutually exclusive), controlled by TDP-Settings.gateway. For the full Ingress and Gateway API examples, see External exposure.
NetworkPolicy
By default, the chart does not create NetworkPolicies (tdp-argo.global.networkPolicy.create: false), keeping traffic open. To enable the upstream allow-all policies or apply your own network restriction, see Security — Argo CD.
Uninstallation
helm -n <NAMESPACE> uninstall tdp-argo
This removes all resources of the release. Optional additional cleanup: remove orphaned PVCs, ConfigMaps, or Secrets if the cluster policy requires it:
kubectl delete pvc -n <NAMESPACE> --all
kubectl delete configmap -n <NAMESPACE> --all
kubectl delete secret -n <NAMESPACE> --all
Update
To update Argo CD:
# Via deploy.sh
./deploy.sh --install -v variables.env.local
# Via direct Helm
helm upgrade tdp-argo \
oci://registry.tecnisys.com.br/tdp/charts/tdp-argo \
-n <NAMESPACE> \
--set skipCrdCheck=false
For the full update procedure, see Argo CD update.